[PATCH] check user access ok writing /proc/irq/<pid>/smp_affinity

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Paul Jackson <pj@sgi.com>
To: linux-ia64@vger.kernel.org
Subject: [PATCH] check user access ok writing /proc/irq/<pid>/smp_affinity
Date: Tue, 25 Nov 2003 04:15:47 +0000	[thread overview]
Message-ID: <marc-linux-ia64-106973370622421@msgid-missing> (raw)

David,

Could you kindly apply the following patch?

In arch/ia64/kernel/irq.c:irq_affinity_write_proc() there
is an unchecked user access that examines writes to files
/proc/irq/<pid>/smp_affinity for a leading character 'R',
in order to trigger some interrupt redirect feature.

You can oops the kernel easily, by issuing a write() system
call to these files with a bogus address.

Here's a patch against test10 to fix it:


# This is a BitKeeper generated patch for the following project:
# Project Name: Linux kernel tree
# This patch format is intended for GNU patch command version 2.5 or higher.
# This patch includes the following deltas:
#	           ChangeSet	1.1484  -> 1.1485 
#	arch/ia64/kernel/irq.c	1.31    -> 1.32   
#
# The following is the BitKeeper ChangeSet Log
# --------------------------------------------
# 03/11/24	pj@sgi.com	1.1485
# Verify user access_ok writing /proc/irq/<pid>/smp_affinity on arch ia64
# --------------------------------------------
#
diff -Nru a/arch/ia64/kernel/irq.c b/arch/ia64/kernel/irq.c
--- a/arch/ia64/kernel/irq.c	Mon Nov 24 19:41:58 2003
+++ b/arch/ia64/kernel/irq.c	Mon Nov 24 19:41:58 2003
@@ -1004,6 +1004,9 @@
 	if (!desc->handler->set_affinity)
 		return -EIO;
 
+	if (!access_ok(VERIFY_READ, buf, count))
+		return -EFAULT;
+
 	if (buf[0] = 'r' || buf[0] = 'R') {
 		++buf;
 		while (*buf = ' ') ++buf;


# More details ...

Test code of program to demonstrate bug:

#include <stdio.h>
#include <stdlib.h>
main(int argc,char **argv)
{
    long x = strtoul(argv[1],0,16);
    fprintf(stderr,"writing from addr 0x%lx\n", x);
    write(1,x,16);
}

Compile to 'foo' and invoke it by doing:

  # cd /proc/irq/99    # where 99 is some pid
  # foo 9999 > smp_affinity 

See an oops such as:

Unable to handle kernel paging request at virtual address 0000000000009999
foo[2779]: Oops 8813272891392 [1]

Pid: 2779, CPU 31, comm:                  foo
psr : 0000101008026018 ifs : 800000000000048c ip  : [<a000000100013810>]    Not tainted
ip is at irq_affinity_write_proc+0x70/0x240
unat: 0000000000000000 pfs : 000000000000048c rsc : 0000000000000003
rnat: 0000000000000000 bsps: 0000000000000000 pr  : 80000000ff76a519
ldrs: 0000000000000000 ccv : 0000000000000000 fpsr: 0009804c0270033f
csd : 0000000000000000 ssd : 0000000000000000
b0  : a0000001000137d0 b6  : a000000100002d70 b7  : a0000001000137a0
f6  : 000000000000000000000 f7  : 000000000000000000000
f8  : 000000000000000000000 f9  : 000000000000000000000
f10 : 000000000000000000000 f11 : 000000000000000000000
r1  : a0000001009acb00 r2  : a0000001006315e0 r3  : a0000001006ddaf8
r8  : a0000001006ddac0 r9  : a0000001007ade58 r10 : 0000000000000063
r11 : e00006307b4e2c98 r12 : e00007b07bdefe10 r13 : e00007b07bde8000
r14 : 20000000002c6b50 r15 : a00000010062c9d8 r16 : e0000ab07be9be90
r17 : a00000010070d4c0 r18 : 0000000000000000 r19 : e0000f307bd01f88
r20 : a000000100169da0 r21 : 40000000000002c0 r22 : 2000000000203cc0
r23 : e0000f307bd01f80 r24 : 0000000000000400 r25 : 0000000000000000
r26 : c00000000000040b r27 : 0000000000000408 r28 : e0000f307bd01edc
r29 : a00000010070d4b8 r30 : a00000010070d498 r31 : a0000001001d2e80

Call Trace:
 [<a000000100015160>] show_stack+0x80/0xa0
                                spà0007b07bdef9e0 bspà0007b07bde9168
 [<a000000100038930>] die+0x1b0/0x260
                                spà0007b07bdefbb0 bspà0007b07bde9140
 [<a000000100059940>] ia64_do_page_fault+0x360/0x9a0
                                spà0007b07bdefbb0 bspà0007b07bde90e0
 [<a00000010000ddc0>] ia64_leave_kernel+0x0/0x260
                                spà0007b07bdefc40 bspà0007b07bde90e0
 [<a000000100013810>] irq_affinity_write_proc+0x70/0x240
                                spà0007b07bdefe10 bspà0007b07bde9080
 [<a0000001001d2f40>] proc_file_write+0xc0/0xe0
                                spà0007b07bdefe20 bspà0007b07bde9058
 [<a000000100169c40>] vfs_write+0x200/0x2a0
                                spà0007b07bdefe20 bspà0007b07bde9010
 [<a000000100169e00>] sys_write+0x60/0xc0
                                spà0007b07bdefe20 bspà0007b07bde8f98
 [<a00000010000dc40>] ia64_ret_from_syscall+0x0/0x20
                                spà0007b07bdefe30 bspà0007b07bde8f98
 Segmentation fault


-- 
                          I won't rest till it's the best ...
                          Programmer, Linux Scalability
                          Paul Jackson <pj@sgi.com> 1.650.933.1373

next             reply	other threads:[~2003-11-25  4:15 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-11-25  4:15 Paul Jackson [this message]
2003-11-25  7:11 ` [PATCH] check user access ok writing /proc/irq/<pid>/smp_affinity David Mosberger

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=marc-linux-ia64-106973370622421@msgid-missing \
    --to=pj@sgi.com \
    --cc=linux-ia64@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.